AI is no longer only a tool insurers use. It is rapidly becoming a risk insurers underwrite — and most of the policy wordings in force today were never designed to think about it. The next two underwriting cycles are going to be defined by how insurers draw the boundary between affirmative AI cover and silent AI exposure.
Businesses are using generative AI in customer service, software development, pricing, medical support, legal drafting, marketing, HR, underwriting and decision automation. That creates new sources of liability: hallucinated advice, discrimination, privacy breaches, copyright claims, operational disruption, deepfakes, model failure, cyber exploitation and contractual disputes. The exposures sit across cyber, professional indemnity, D&O, technology errors and omissions, media liability, employment practices and general liability. Some insurers are exploring exclusions or sublimits; others are testing affirmative modular cover. The market is unsettled and the actuarial work is just beginning.
The demand is real
The Geneva Association’s 2025 report on generative AI risks found strong business interest in cover for GenAI risks and named cybersecurity, third-party liabilities and operational disruption as the leading concerns. The same report notes that insurers are adapting cyber and liability policies and that standalone coverage is emerging.
Insurance needs definable risk boundaries, underwriting data, policy wording and capital assessment. All four are still developing for AI. That is not a reason to stay out — it is the reason actuarial input matters now rather than after the first major loss.
Six categories of AI risk, with the boundary questions named
Professional and operational error. AI produces inaccurate analysis, incorrect recommendations, defective code or misleading outputs. The liability question depends on who used the AI, whether human review was adequate, what representations were made and how the contract allocated risk.
Discrimination and unfair decision-making. AI may embed or amplify bias in hiring, lending, insurance, benefits, claims or customer prioritisation. In insurance, this overlaps with fairness and conduct risk. Automated decisions also engage POPIA’s automated-decision-making provisions where legal or similarly significant effects are involved.
Privacy and data protection. AI systems process personal information, can leak confidential data, may re-identify individuals, can use data beyond consent and can generate outputs that expose sensitive information. The exposure arises in both training and use.
Intellectual property and content risk. Generative AI raises copyright, database, trade-secret, brand and media-liability questions. Businesses may be sued for AI-generated content, use of training data or misuse of protected material.
Cyber and deepfake risk. AI strengthens defensive cyber operations and also enhances phishing, social engineering, malware development and identity fraud. Deepfakes create fraud, reputational harm and operational disruption.
Systemic vendor dependency. Many companies use the same AI platforms, cloud providers, foundation models and integration tools. A defect, outage, security breach or legal injunction affecting a major AI provider could create correlated losses across insureds — and the cyber market already has a working playbook for that pattern.
Underwriting questions that didn’t exist five years ago
An AI exposure assessment now needs to ask: What AI systems are used and for which business functions? Are models internally built, externally licensed or embedded in third-party tools? Are outputs used in high-impact decisions? Is human review required and documented? Are prompts, outputs and model versions logged? What data is used and how is personal information protected? Are vendors contractually responsible for model defects, security and compliance? Is there an AI governance framework? Are customers told when AI is used? Are there testing, monitoring and incident-response processes?
None of these is operational housekeeping. Each affects frequency, severity, defence cost and aggregation directly.
Policy wording is doing the heaviest lifting
AI risk can be covered, excluded or limited through wording. As the market evolves, insurers will use endorsements, sublimits, exclusions, warranties and affirmative AI cover to draw the line between insured and uninsured AI-related losses — reflecting genuine uncertainty about accumulation and severity. From an actuarial perspective, wording clarity is essential. A model cannot reliably price a risk if the scope of cover is unclear. Ambiguity also fuels claims disputes once the losses arrive.
Modelling under sparse history
AI liability modelling sits in the familiar emerging-risk pattern — limited history, changing technology, legal uncertainty, systemic dependency and moral hazard. Useful approaches: scenario analysis, exposure mapping by AI use case, vendor accumulation mapping, Bayesian methods combining expert judgement and sparse data, policy wording classification, stress testing for large litigation and regulatory events, cyber-AI interaction scenarios, and active monitoring of incidents, case law and regulatory developments.
Insurers that build these capabilities now will be better positioned to price, underwrite and manage the next generation of technology risk. Insurers that wait will discover the gap inside a major claim. Because the analysis itself often involves AI tools, the controls on our How we use AI page apply throughout.
The South African angle
South African insurers and financial institutions should monitor AI risk through both a product lens and an operational lens. As AI adoption grows in banking, insurance, healthcare, retail and professional services, AI-related liability will affect local portfolios. The same FSCA / Prudential Authority work that shapes internal AI governance is the natural frame for the underwriting view, which is why the actuarial team is well placed to lead both.
The likely arc
AI insurance is likely to evolve the way cyber insurance evolved: from uncertainty and silent exposure toward clearer underwriting, explicit coverage, exclusions, sublimits and specialist products. Actuaries have a major role — scenario design, exposure mapping, wording analysis, capital assessment and governance.
If you are scoping AI exposure across an existing book — silent and affirmative — our Risk Management practice covers the analytics and governance.
Sources
- Geneva Association (2025) — Gen AI Risks for Businesses: Exploring the Role for Insurance
- IAA (2025) — AI Governance Framework
- NIST (2024) — AI Risk Management Framework: Generative AI Profile
- POPIA section 71 — Automated decision making
- FSCA & Prudential Authority (2025) — AI in the South African Financial Sector